/// Find uses of standard freeing functons on values allocated using devm_ /// functions. Values allocated using the devm_functions are freed when /// the device is detached, and thus the use of the standard freeing /// function would cause a double free. /// See Documentation/driver-model/devres.txt for more information. /// /// A difficulty of detecting this problem is that the standard freeing /// function might be called from a different function than the one /// containing the allocation function. It is thus necessary to make the /// connection between the allocation function and the freeing function. /// Here this is done using the specific argument text, which is prone to /// false positives. There is no rule for the request_region and /// request_mem_region variants because this heuristic seems to be a bit /// less reliable in these cases. /// // Confidence: Moderate // Copyright: (C) 2011 Julia Lawall, INRIA/LIP6. GPLv2. // Copyright: (C) 2011 Gilles Muller, INRIA/LiP6. GPLv2. // URL: http://coccinelle.lip6.fr/ // Comments: // Options: --no-includes --include-headers virtual org virtual report virtual context @r depends on context || org || report@ expression x; @@ ( x = devm_kmalloc(...) | x = devm_kvasprintf(...) | x = devm_kasprintf(...) | x = devm_kzalloc(...) | x = devm_kmalloc_array(...) | x = devm_kcalloc(...) | x = devm_kstrdup(...) | x = devm_kmemdup(...) | x = devm_get_free_pages(...) | x = devm_request_irq(...) | x = devm_ioremap(...) | x = devm_ioremap_nocache(...) | x = devm_ioport_map(...) ) @pb@ expression r.x; position p; @@ ( * kfree@p(x) | * kzfree@p(x) | * __krealloc@p(x, ...) | * krealloc@p(x, ...) | * free_pages@p(x, ...) | * free_page@p(x) | * free_irq@p(x) | * iounmap@p(x) | * ioport_unmap@p(x) ) @script:python depends on org@ p << pb.p; @@ msg="WARNING: invalid free of devm_ allocated data" coccilib.org.print_todo(p[0], msg) @script:python depends on report@ p << pb.p; @@ msg="WARNING: invalid free of devm_ allocated data" coccilib.report.print_report(p[0], msg) 64'>diff
path: root/include/soc/imx/timer.h
n' name='id' value='91539eb1fda2d530d3b268eef542c5414e54bf1a'/>
AgeCommit message (Expand)AuthorFilesLines
context:
space:
mode:
authorIago Abal <mail@iagoabal.eu>2017-01-11 14:00:21 +0100
committerVinod Koul <vinod.koul@intel.com>2017-01-25 15:35:11 +0530
commit91539eb1fda2d530d3b268eef542c5414e54bf1a (patch)
tree960f5ca6342ad20837aff18aad6e8ecd7da32fd6 /tools/build/feature/test-dwarf_getlocations.c
parent6610d0edf6dc7ee97e46ab3a538a565c79d26199 (diff)
dmaengine: pl330: fix double lock
The static bug finder EBA (http://www.iagoabal.eu/eba/) reported the following double-lock bug: Double lock: 1. spin_lock_irqsave(pch->lock, flags) at pl330_free_chan_resources:2236; 2. call to function `pl330_release_channel' immediately after; 3. call to function `dma_pl330_rqcb' in line 1753; 4. spin_lock_irqsave(pch->lock, flags) at dma_pl330_rqcb:1505. I have fixed it as suggested by Marek Szyprowski. First, I have replaced `pch->lock' with `pl330->lock' in functions `pl330_alloc_chan_resources' and `pl330_free_chan_resources'. This avoids the double-lock by acquiring a different lock than `dma_pl330_rqcb'. NOTE that, as a result, `pl330_free_chan_resources' executes `list_splice_tail_init' on `pch->work_list' under lock `pl330->lock', whereas in the rest of the code `pch->work_list' is protected by `pch->lock'. I don't know if this may cause race conditions. Similarly `pch->cyclic' is written by `pl330_alloc_chan_resources' under `pl330->lock' but read by `pl330_tx_submit' under `pch->lock'. Second, I have removed locking from `pl330_request_channel' and `pl330_release_channel' functions. Function `pl330_request_channel' is only called from `pl330_alloc_chan_resources', so the lock is already held. Function `pl330_release_channel' is called from `pl330_free_chan_resources', which already holds the lock, and from `pl330_del'. Function `pl330_del' is called in an error path of `pl330_probe' and at the end of `pl330_remove', but I assume that there cannot be concurrent accesses to the protected data at those points. Signed-off-by: Iago Abal <mail@iagoabal.eu> Reviewed-by: Marek Szyprowski <m.szyprowski@samsung.com> Signed-off-by: Vinod Koul <vinod.koul@intel.com>
Diffstat (limited to 'tools/build/feature/test-dwarf_getlocations.c')